The following is a guest article by Michelle Moreno, Vice President, Security, Compliance & Project Management at Kinetik

For most health plan executives, non-emergency medical transportation (NEMT) represents a fraction of total healthcare costs, but it tends to generate a disproportionately high number of problems, such as compliance risk, member complaints, and regulatory scrutiny. What once was viewed as an operational necessity (getting members to medical appointments) has become a critical junction of regulatory compliance, data security, and program integrity.

Consider this: A single NEMT data breach exposing member Protected Health Information (PHI) can trigger HIPAA penalties as high as $2.1 million, per violation. Add reputational damage, member lawsuits, and CMS scrutiny, and suddenly, a low-bid transportation vendor doesn’t look like such a bargain.

The Perfect Storm: Where Healthcare Compliance Meets Transportation Complexity

As the Centers for Medicare & Medicaid Services (CMS) intensifies its focus on program integrity and states implement stricter NEMT oversight requirements, health plans face an uncomfortable truth: their transportation partners often operate with security standards that wouldn’t suffice in any other area of healthcare delivery.

The disconnect is stark. While health plans invest millions in enterprise security and compliance frameworks, their NEMT programs that touch thousands of vulnerable members daily may rely on vendors using:

• Spreadsheet-based trip management with minimal access controls
• Unencrypted member data shared across subcontractor networks
• Manual processes with no audit trails
• Outdated systems lacking real-time fraud detection

This isn’t just a technology gap; it’s a compliance time bomb. And in an era where a single improper payment can trigger a full CMS audit, health plans can no longer afford to treat NEMT security as someone else’s problem.

The New Gold Standard: What Health Plans Should Demand

Forward-thinking health plans are rewriting their NEMT evaluation criteria, recognizing that true program success requires partners who match their own commitment to security and compliance. But what should plans actually look for?

Enterprise-Grade Security Certifications

Gone are the days when a simple HIPAA attestation sufficed. Leading NEMT partners must now maintain:

• HITRUST r2 Certification: The healthcare industry’s most comprehensive security framework
• SOC 2 Type II: Validated security controls over time, not just at a point in time
• SOC 1 Type II: Financial and operational controls that protect program integrity

These certifications aren’t just badges—they represent thousands of hours of security engineering and independent validation that health plans need to expect their NEMT partners to achieve and maintain.

Proactive Fraud Prevention Architecture

Modern NEMT platforms should prevent fraud by design, not just detect it after the fact. This means:

• GPS-verified trip validation that confirms services were actually delivered
• Real-time anomaly detection that flags suspicious patterns before payment
• Role-based access controls that limit data exposure
• Comprehensive audit trails that satisfy the most stringent compliance reviews

Data Governance That Matches Healthcare Standards

NEMT partners handle the same sensitive member data as the EHR vendor. They should be held to the same standards, including encryption at rest and in transit, regular penetration testing, incident response protocols, and clear data retention policies.

Critical Questions for NEMT Vendor Evaluation

As health plans evaluate NEMT partners, it is important to move beyond traditional RFP questions.  

1. What independent security certifications do you maintain, and can you provide current attestation reports?
2. How does your platform prevent fraud before claims are submitted?
3. Can you demonstrate a complete audit trail for any trip in your system?
4. How do you ensure subcontractors maintain equivalent security standards?

Vendors who struggle with these questions may not be prepared for the security challenges facing modern NEMT programs.

The Path Forward: Security as Foundation, Not Feature

Platforms built on the simple principle that security and compliance aren’t features to be added but the foundation everything else is built upon are the platforms that will deliver. Health plans deserve NEMT partners who match their own commitment to protecting member data and program integrity.

But this isn’t about any single vendor, it’s about raising the bar for an entire industry. As health plans demand more from their NEMT partners, the entire ecosystem becomes more secure, efficient, and trustworthy.

The Choice That Defines The Program

For health plan executives, the choice of NEMT partner has evolved from an operational decision to a strategic one. In an environment of increasing regulatory scrutiny, rising fraud costs, and heightened member expectations, partnering with vendors who treat security as an afterthought is no longer viable.

The future of NEMT belongs to partnerships built on a foundation of trust, transparency, and uncompromising security standards—where health plans, transportation providers, and technology partners work together to protect members, ensure compliance, and deliver a seamless experience. With these values, the industry can move beyond risk mitigation and toward meaningful, measurable impact.

About Michelle Moreno

Michelle Moreno serves as Vice President of Security, Compliance, and Project Management at Kinetik. With over 20 years of experience leading technology and operations teams, she brings a practical, results-driven approach to scaling teams, reducing risk, and enabling business transformation. Her leadership ensures that Kinetik’s platform not only delivers operational value but also meets the highest standards of security and compliance.